HIPAA - A Ticking Time Bomb

When the Health Insurance Portability and Accountability Act (HIPAA) was passed by Congress in 1996, it was done with much fanfare.

Yet, more than 25 years later, companies that are within or have a connection to the healthcare industry are struggling to comply with HIPAA. In fact, recent estimates suggest less than one third of such companies are in full compliance with the Act, a stunning number.

That realization is made all the more vexing by a growing trend toward a rise in data breaches. In particular, ransomware breaches increased more in 2021 than in the previous 5 years combined.

In a Cybersecurity newsletter dated March 17, 2022, the U.S Department of Health and Human Services’ Office for Civil Rights (OCR) reported that the number of cybersecurity breaches involving healthcare entities, which impacted 500 or more individuals due to hacking or IT incidents, increased a whopping 45 percent from 2019 to 2020. OCR Newsletter

Lack of compliance comes at a great cost. The Ponemon Institute Cost of a Data Breach report, which examines the average cost of a breached data record globally across all industries, estimated recently the cost at $141 per record. More significantly here, the average cost of a breached healthcare record is estimated at $499 a record.

More than 50 million patient records were breached in 2021 alone (per the 2022 Protenus Breach Barometer), costing the industry an estimated $25 billion. These are troubling statistics at any moment in time, but with the current state of affairs, these numbers are crippling. It is a pandemic of epic proportions.

In spite of these shocking facts, this is an addressable problem.

Notably, while “some attacks may be sophisticated and exploit previously unknown vulnerabilities (i.e., zero-day attack), most cyber-attacks could be prevented or substantially mitigated if HIPAA covered entities and business associates implemented HIPAA Security Rule requirements to address the most common types of attacks, such as phishing emails, exploitation of known vulnerabilities, and weak authentication protocols,” according to the OCR report mentioned above.

How is it possible that a quarter-century later two-thirds of healthcare entities in the US fail to meet the minimum standards of HIPAA?

Compliance has traditionally been complicated and expensive, and most of healthcare in the US is made up of small to mid-sized businesses that don’t have the necessary financial means or resources to address these challenges, much less, continue to keep up with changing regulations or the latest vulnerabilities.

In addition, just like healthcare organizations, the OCR is stretched thin. Therefore, enforcement and accountability professionals are reactive, rather than proactive. They investigate breaches after the fact, instead of instituting proactive assessment/accountability measures to ensure facilities are prepared.

There is also a lack of proper education on HIPAA, which has created many false narratives. For example:

• I use a HIPAA compliant electronic medical records system – therefore I am HIPAA Compliant

• We bought HIPAA policy and procedure templates and store them in a policy management system – therefore we are compliant

• All of our data is stored with a HIPAA Compliant cloud provider – therefore we are compliant.

• I’ll deal with all this if/when I have to, i.e. when I have a breach.

• HIPAA Compliance is a static goal I can achieve.

Many of the items above are an important part of a compliance strategy but cannot be the only strategy. HIPAA compliance requires a balanced approach between people, process and technology. We need a comprehensive strategy that includes inventory of assets, evaluation of threats, strategic planning for remediation, training for workers, plus, ongoing monitoring of progress as well as new threats.

The Silver Bullet?

We’re all looking for the silver bullet Unfortunately, we can spend millions of dollars on the perfect technology, and write all the necessary policies and procedures, but healthcare is provided by humans, who make mistakes. According to the Verizon 2022 Data Breach Investigations Report in 2021, 82% of breaches involved the human element, including social attacks, errors, and misuse. This is why ongoing training, security reminders, learning exercises and other creative forms of education are so critical now, more than ever.

Compliance is not a destination it’s a journey, a process we must continue to iterate. If we aren’t working on compliance, we’re losing ground.

Bad Habits

But it’s not just our lack of education, we have also developed poor cyber security habits, which make us easy prey to bad actors.

“Threat actors do not necessarily need elaborate and sophisticated tactics to successfully take advantage of victims,” noted Cyber Security News in May of 2022. “Cyber actors routinely exploit poor security configurations, weak controls, and other poor cyber hygiene practices to gain initial access or as part of other tactics to compromise a victim’s system.”

While there are many “poor cyber security habits” we can fall prey to one of the leading issues is the lack of up-to-date patches.

In fact, the United States Cybersecurity and Infrastructure Agency (CISA) has added 36 new flaws to its catalog of vulnerabilities that are known to be exploited by cyber criminals. The CISA alert warns that the vulnerabilities are a frequent attack vector for malicious attackers and pose “significant risk”.

CISA’s advice – Patch Now! As all of these known vulnerabilities have “fixes” or patches that remove the threat of exploitation and yet many have not taken advantage of this and remain unprotected.

Sound overwhelming? It certainly can be. However, it’s no longer something we can ignore or put off the stakes are too high. Please don’t wait another day.